diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if index 7640b70..6faf8e1 100644 --- a/refpolicy/policy/modules/admin/consoletype.if +++ b/refpolicy/policy/modules/admin/consoletype.if @@ -8,7 +8,7 @@ define(`consoletype_transition',` requires_block_template(`$0'_depend) allow $1 consoletype_exec_t:file { getattr read execute }; allow $1 consoletype_t:process transition; -type_transition $1 consoletype_exec_t:file consoletype_t; +type_transition $1 consoletype_exec_t:process consoletype_t; dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index a3fcfbd..1e77b40 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -17,7 +17,7 @@ define(`rpm_transition',` requires_block_template(`$0'_depend) allow $1 rpm_exec_t:file { getattr read execute }; allow $1 rpm_t:process transition; -type_transition $1 rpm_exec_t:file rpm_t; +type_transition $1 rpm_exec_t:process rpm_t; dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 5eeed99..9e28046 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -17,7 +17,7 @@ define(`bootloader_transition',` requires_block_template(`$0'_depend) allow $1 bootloader_exec_t:file { getattr read execute }; allow $1 bootloader_t:process transition; -type_transition $1 bootloader_exec_t:file bootloader_t; +type_transition $1 bootloader_exec_t:process bootloader_t; dontaudit $1 bootloader_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 1286ce6..3ee99d9 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -35,7 +35,7 @@ allow $1_mail_t sendmail_exec_t:lnk_file { getattr read }; allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans }; allow $1_t sendmail_exec_t:lnk_file { getattr read }; allow $1_t $1_mail_t:process transition; -type_transition $1_t sendmail_exec_t:file $1_mail_t; +type_transition $1_t sendmail_exec_t:process $1_mail_t; kernel_read_kernel_sysctl($1_mail_t) @@ -172,7 +172,7 @@ requires_block_template(`$0'_depend) allow $1 sendmail_exec_t:lnk_file { getattr read }; allow $1 sendmail_exec_t:file { getattr read execute }; allow $1 system_mail_t:process transition; -type_transition $1 sendmail_exec_t:file system_mail_t; +type_transition $1 sendmail_exec_t:process system_mail_t; dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh }; allow $1 system_mail_t:fd use; diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 7fd505e..ecaf4d1 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -100,6 +100,35 @@ type login_exec_t; domain_make_entrypoint_file_depend ') +######################################## +## +## +## Execute a login_program in the target domain. +## +## +## The type of the process performing this action. +## +## +## The type of the login_program process. +## +## +## +# +define(`authlogin_login_program_transition',` +requires_block_template(`$0'_depend) +# FIXME: search bin_t +allow $1 login_exec_t:file { getattr read execute }; +allow $1 $2:process transition; +type_transition $1 login_exec_t:process $2; +dontaudit $1 $2:process { noatsecure siginh rlimitinh }; +') + +define(`authlogin_login_program_transition_depend',` +type login_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + ####################################### # # authlogin_check_password_transition(domain) @@ -266,7 +295,7 @@ define(`authlogin_pam_transition',` requires_block_template(`$0'_depend) allow $1 pam_exec_t:file { getattr read execute }; allow $1 pam_t:process transition; -type_transition $1 pam_exec_t:file pam_t; +type_transition $1 pam_exec_t:process pam_t; dontaudit $1 pam_t:process { noatsecure siginh rlimitinh }; ') @@ -363,7 +392,7 @@ define(`authlogin_pam_console_transition',` requires_block_template(`$0'_depend) allow $1 pam_console_exec_t:file { getattr read execute }; allow $1 pam_console_t:process transition; -type_transition $1 pam_console_exec_t:file pam_console_t; +type_transition $1 pam_console_exec_t:process pam_console_t; dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh }; ') @@ -426,7 +455,7 @@ define(`authlogin_utempter_transition',` requires_block_template(`$0'_depend) allow $1 utempter_exec_t:file { getattr read execute }; allow $1 utempter_t:process transition; -type_transition $1 utempter_exec_t:file utempter_t; +type_transition $1 utempter_exec_t:process utempter_t; dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 1b3a20c..0ba002e 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -15,7 +15,7 @@ define(`clock_transition',` requires_block_template(`$0'_depend) allow $1 hwclock_exec_t:file { getattr read execute }; allow $1 hwclock_t:process transition; -type_transition $1 hwclock_exec_t:file hwclock_t; +type_transition $1 hwclock_exec_t:process hwclock_t; dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 78f7d30..91aa8ad 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -148,7 +148,7 @@ allow $1 bin_t:dir { getattr search read }; allow $1 bin_t:lnk_file { getattr read }; allow $1 shell_exec_t:file { getattr read execute }; allow $1 $2:process transition; -type_transition $1 shell_exec_t:file $2; +type_transition $1 shell_exec_t:process $2; dontaudit $1 $2:process { noatsecure siginh rlimitinh }; ') @@ -157,6 +157,7 @@ type bin_t, shell_exec_t; class dir { getattr search read }; class lnk_file { getattr read }; class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; ') ######################################## diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index 43bef69..41a67b2 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -8,7 +8,7 @@ define(`getty_transition',` requires_block_template(`$0'_depend) allow $1 getty_exec_t:file { getattr read execute }; allow $1 getty_t:process transition; -type_transition $1 getty_exec_t:file getty_t; +type_transition $1 getty_exec_t:process getty_t; dontaudit $1 getty_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index 97cdf4e..19e1466 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -8,7 +8,7 @@ define(`hostname_transition',` requires_block_template(`$0'_depend) allow $1 hostname_exec_t:file { getattr read execute }; allow $1 hostname_t:process transition; -type_transition $1 hostname_exec_t:file hostname_t; +type_transition $1 hostname_exec_t:process hostname_t; dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 37dc3eb..e4002c9 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -8,7 +8,7 @@ define(`hotplug_transition',` requires_block_template(`$0'_depend) allow $1 hotplug_exec_t:file { getattr read execute }; allow $1 hotplug_t:process transition; -type_transition $1 hotplug_exec_t:file hotplug_t; +type_transition $1 hotplug_exec_t:process hotplug_t; dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 8d9d1d2..efbf5e5 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -71,7 +71,6 @@ class process { transition noatsecure siginh rlimitinh }; role system_r; ') - ######################################## # # init_transition(domain) @@ -80,7 +79,7 @@ define(`init_transition',` requires_block_template(`$0'_depend) allow $1 init_exec_t:file { getattr read execute }; allow $1 init_t:process transition; -type_transition $1 init_exec_t:file init_t; +type_transition $1 init_exec_t:process init_t; dontaudit $1 init_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index e78c4a9..970fa6e 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -74,6 +74,7 @@ files_create_daemon_runtime_data(init_t,init_var_run_t) # is also in this module allow init_t initrc_t:process transition; allow init_t initrc_exec_t:file { getattr read execute }; +type_transition init_t initrc_exec_t:process initrc_t; allow init_t self:fifo_file { read write ioctl }; diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index 6eb7669..7ba45fe 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -15,7 +15,7 @@ define(`iptables_transition',` requires_block_template(`$0'_depend) allow $1 iptables_exec_t:file { getattr read execute }; allow $1 iptables_t:process transition; -type_transition $1 iptables_exec_t:file iptables_t; +type_transition $1 iptables_exec_t:process iptables_t; dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index e02b15a..3f22b3d 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -17,7 +17,7 @@ define(`libraries_ldconfig_transition',` requires_block_template(`$0'_depend) allow $1 ldconfig_exec_t:file { getattr read execute }; allow $1 ldconfig_t:process transition; -type_transition $1 ldconfig_exec_t:file ldconfig_t; +type_transition $1 ldconfig_exec_t:process ldconfig_t; dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index 70172a0..59b155b 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -6,16 +6,11 @@ # define(`locallogin_transition',` requires_block_template(`$0'_depend) -allow $1 login_exec_t:file { getattr read execute }; -allow $1 local_login_t:process transition; -type_transition $1 login_exec_t:file local_login_t; -dontaudit $1 local_login_t:process { noatsecure siginh rlimitinh }; +authlogin_login_program_transition($1,local_login_t) ') define(`locallogin_transition_depend',` -type local_login_t, login_exec_t; -class file { getattr read execute }; -class process { transition noatsecure siginh rlimitinh }; +type local_login_t; ') ######################################## diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if index 8ab67cc..d84f8d2 100644 --- a/refpolicy/policy/modules/system/lvm.if +++ b/refpolicy/policy/modules/system/lvm.if @@ -15,7 +15,7 @@ define(`lvm_transition',` requires_block_template(`$0'_depend) allow $1 lvm_exec_t:file { getattr read execute }; allow $1 lvm_t:process transition; -type_transition $1 lvm_exec_t:file lvm_t; +type_transition $1 lvm_exec_t:process lvm_t; dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index e983b41..dfd3d84 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -63,7 +63,7 @@ define(`modutils_insmod_transition',` requires_block_template(`$0'_depend) allow $1 insmod_exec_t:file { getattr read execute }; allow $1 insmod_t:process transition; -type_transition $1 insmod_exec_t:file insmod_t; +type_transition $1 insmod_exec_t:process insmod_t; dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh }; ') @@ -133,7 +133,7 @@ define(`modutils_depmod_transition',` requires_block_template(`$0'_depend) allow $1 depmod_exec_t:file { getattr read execute }; allow $1 depmod_t:process transition; -type_transition $1 depmod_exec_t:file depmod_t; +type_transition $1 depmod_exec_t:process depmod_t; dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh }; ') @@ -201,7 +201,7 @@ define(`modutils_update_modules_transition',` requires_block_template(`$0'_depend) allow $1 update_modules_exec_t:file { getattr read execute }; allow $1 update_modules_t:process transition; -type_transition $1 update_modules_exec_t:file update_modules_t; +type_transition $1 update_modules_exec_t:process update_modules_t; dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index 86c21ab..51bfc3b 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -15,7 +15,7 @@ define(`mount_transition',` requires_block_template(`$0'_depend) allow $1 mount_exec_t:file { getattr read execute }; allow $1 mount_t:process transition; -type_transition $1 mount_exec_t:file mount_t; +type_transition $1 mount_exec_t:process mount_t; dontaudit $1 mount_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if index 05f492b..4d2f562 100644 --- a/refpolicy/policy/modules/system/selinux.if +++ b/refpolicy/policy/modules/system/selinux.if @@ -17,7 +17,7 @@ define(`selinux_checkpolicy_transition',` requires_block_template(`$0'_depend) allow $1 checkpolicy_exec_t:file { getattr read execute }; allow $1 checkpolicy_t:process transition; -type_transition $1 checkpolicy_exec_t:file checkpolicy_t; +type_transition $1 checkpolicy_exec_t:process checkpolicy_t; dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; ') @@ -87,7 +87,7 @@ define(`selinux_load_policy_transition',` requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file { getattr read execute }; allow $1 load_policy_t:process transition; -type_transition $1 load_policy_exec_t:file load_policy_t; +type_transition $1 load_policy_exec_t:process load_policy_t; dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; ') @@ -171,7 +171,7 @@ define(`selinux_newrole_transition',` requires_block_template(`$0'_depend) allow $1 newrole_exec_t:file { getattr read execute }; allow $1 newrole_t:process transition; -type_transition $1 newrole_exec_t:file newrole_t; +type_transition $1 newrole_exec_t:process newrole_t; dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; ') @@ -291,7 +291,7 @@ define(`selinux_restorecon_transition',` requires_block_template(`$0'_depend) allow $1 restorecon_exec_t:file { getattr read execute }; allow $1 restorecon_t:process transition; -type_transition $1 restorecon_exec_t:file restorecon_t; +type_transition $1 restorecon_exec_t:process restorecon_t; dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; ') @@ -361,7 +361,7 @@ define(`selinux_run_init_transition',` requires_block_template(`$0'_depend) allow $1 run_init_exec_t:file { getattr read execute }; allow $1 run_init_t:process transition; -type_transition $1 run_init_exec_t:file run_init_t; +type_transition $1 run_init_exec_t:process run_init_t; dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; ') @@ -431,7 +431,7 @@ define(`selinux_setfiles_transition',` requires_block_template(`$0'_depend) allow $1 setfiles_exec_t:file { getattr read execute }; allow $1 setfiles_t:process transition; -type_transition $1 setfiles_exec_t:file setfiles_t; +type_transition $1 setfiles_exec_t:process setfiles_t; dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 05f492b..4d2f562 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -17,7 +17,7 @@ define(`selinux_checkpolicy_transition',` requires_block_template(`$0'_depend) allow $1 checkpolicy_exec_t:file { getattr read execute }; allow $1 checkpolicy_t:process transition; -type_transition $1 checkpolicy_exec_t:file checkpolicy_t; +type_transition $1 checkpolicy_exec_t:process checkpolicy_t; dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; ') @@ -87,7 +87,7 @@ define(`selinux_load_policy_transition',` requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file { getattr read execute }; allow $1 load_policy_t:process transition; -type_transition $1 load_policy_exec_t:file load_policy_t; +type_transition $1 load_policy_exec_t:process load_policy_t; dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; ') @@ -171,7 +171,7 @@ define(`selinux_newrole_transition',` requires_block_template(`$0'_depend) allow $1 newrole_exec_t:file { getattr read execute }; allow $1 newrole_t:process transition; -type_transition $1 newrole_exec_t:file newrole_t; +type_transition $1 newrole_exec_t:process newrole_t; dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; ') @@ -291,7 +291,7 @@ define(`selinux_restorecon_transition',` requires_block_template(`$0'_depend) allow $1 restorecon_exec_t:file { getattr read execute }; allow $1 restorecon_t:process transition; -type_transition $1 restorecon_exec_t:file restorecon_t; +type_transition $1 restorecon_exec_t:process restorecon_t; dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; ') @@ -361,7 +361,7 @@ define(`selinux_run_init_transition',` requires_block_template(`$0'_depend) allow $1 run_init_exec_t:file { getattr read execute }; allow $1 run_init_t:process transition; -type_transition $1 run_init_exec_t:file run_init_t; +type_transition $1 run_init_exec_t:process run_init_t; dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; ') @@ -431,7 +431,7 @@ define(`selinux_setfiles_transition',` requires_block_template(`$0'_depend) allow $1 setfiles_exec_t:file { getattr read execute }; allow $1 setfiles_t:process transition; -type_transition $1 setfiles_exec_t:file setfiles_t; +type_transition $1 setfiles_exec_t:process setfiles_t; dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc index 65b5c53..5a3823a 100644 --- a/refpolicy/policy/modules/system/sysnetwork.fc +++ b/refpolicy/policy/modules/system/sysnetwork.fc @@ -8,13 +8,13 @@ # # /etc # -/etc/dhclient.*conf -- context_template(system_u:object_r:dhcp_etc_t,s0) -/etc/dhclient-script -- context_template(system_u:object_r:dhcp_etc_t,s0) -/etc/dhcpc.* context_template(system_u:object_r:dhcp_etc_t,s0) +#/etc/dhclient.*conf -- context_template(system_u:object_r:dhcp_etc_t,s0) +#/etc/dhclient-script -- context_template(system_u:object_r:dhcp_etc_t,s0) +#/etc/dhcpc.* context_template(system_u:object_r:dhcp_etc_t,s0) /etc/resolv\.conf.* -- context_template(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- context_template(system_u:object_r:net_conf_t,s0) -/etc/dhcp3?/dhclient.* context_template(system_u:object_r:dhcp_etc_t,s0) +#/etc/dhcp3?/dhclient.* context_template(system_u:object_r:dhcp_etc_t,s0) # # /sbin @@ -40,7 +40,7 @@ # # /var # -/var/lib/dhcp3? -d context_template(system_u:object_r:dhcp_state_t,s0) +#/var/lib/dhcp3? -d context_template(system_u:object_r:dhcp_state_t,s0) /var/lib/dhcp3?/dhclient.* context_template(system_u:object_r:dhcpc_state_t,s0) /var/run/dhclient.*\.pid -- context_template(system_u:object_r:dhcpc_var_run_t,s0) diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 28ac0b8..9a88945 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -8,7 +8,7 @@ define(`sysnetwork_dhcpc_transition',` requires_block_template(`$0'_depend) allow $1 dhcpc_exec_t:file { getattr read execute }; allow $1 dhcpc_t:process transition; -type_transition $1 dhcpc_exec_t:file dhcpc_t; +type_transition $1 dhcpc_exec_t:process dhcpc_t; dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh }; ') @@ -33,7 +33,7 @@ define(`sysnetwork_ifconfig_transition',` requires_block_template(`$0'_depend) allow $1 ifconfig_exec_t:file { getattr read execute }; allow $1 ifconfig_t:process transition; -type_transition $1 ifconfig_exec_t:file ifconfig_t; +type_transition $1 ifconfig_exec_t:process ifconfig_t; dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh }; ') diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index 1b39309..c5bf242 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -8,7 +8,7 @@ define(`udev_transition',` requires_block_template(`$0'_depend) allow $1 udev_exec_t:file { getattr read execute }; allow $1 udev_t:process transition; -type_transition $1 udev_exec_t:file udev_t; +type_transition $1 udev_exec_t:process udev_t; dontaudit $1 udev_t:process { noatsecure siginh rlimitinh }; ')